Security vendor FireEye recently published a report describing the carder business of two cyber criminals called “Vendetta Brothers.” The two cyber criminals are likely operating out of Spain and Eastern Europe. They currently operate an underground website for selling stolen credit and debit card data from 639 banks in 41 countries via phishing attacks. They offer about 10,000 cards for sale, which is relatively small comparing to other carder business. One interesting thing is that how the brothers operated to scale their criminal business. They diversified their business using legitimate business tactics like outsourcing. One tactic is that they partnered with hacker without malware to obtain card data but have gained access to POS terminals remotely or physically. The brothers have the hackers to di the dirty work and so they can focus on higher-level planning. One thing I’m surprised is that the data of 10,000 stolen cards is still considered as small carder business. If 100,000 cards are considered as a large business and there are 10 carder businesses exist, 0.1% of world’s credit card information may be stolen, since the number of world’s credit cards is around 1 billion in 2015. Another thing is that even hackers now are able to use business tactics to mange and scale their operations. They use legitimate tactics to do illegal business. It makes me think about one of the largest criminal organization, Yamaguchi-gumi in Japan. It operates more like a company rather than a criminal organization. It does have criminal activities like arms trafficking and bank fraud, but it also does legitimate business.